Hospitals back off Cisco LEAP security for WLANs

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,86189,00.html

Story by Bob Brewin 
OCTOBER 17, 2003 
COMPUTERWORLD 

For some health care IT managers, Cisco Systems Inc.'s wireless LAN
authentication protocol's vulnerability to attacks aimed at
discovering passwords is reinforcing the importance of developing
multilayered approaches to securing their networks.

Several users this week said they have already adopted or plan to
install a mix of WLAN authentication and encryption protocols to
ensure that their companies comply with the data privacy requirements
of the federal Health Insurance Portability and Accountability Act.

Chris Lenaghen, a network engineer at St. Alphonsus Regional Medical
Center in Boise, Idaho, said he views Cisco's Lightweight Extensible
Authentication Protocol (LEAP) as "a temporary solution" until the
hospital can install an updated version of Novell Inc.'s Extend
Director software.

The Novell software supports the Lightweight Directory Access Protocol
(LDAP), which Lenaghen said should make it harder for malicious
hackers to run so-called dictionary attacks against the hospital's
WLAN. St. Alphonsus will speed up its move from LEAP to LDAP because
of the Cisco technology's vulnerability, Lenaghen said.

Cisco disclosed in early August that LEAP could be compromised by
dictionary attacks. At a conference earlier this month, Joshua Wright,
a systems engineer at Johnson & Wales University in Providence, R.I.,
demonstrated such an attack using a tool he developed. In an interview
this week, Wright said he plans to make the attack tool publicly
available in February.

Gene Gretzer, a senior analyst and project leader for access
technologies at St. Luke's Episcopal Health System in Houston, said
the health care provider uses LEAP to help secure 100 wireless
access-point devices made by Cisco. But St. Luke's also controls WLAN
access through a database of Media Access Control (MAC) addresses and
use of the Advanced Encryption Standard.

Miami Children's Hospital in Coral Gables, Fla., has taken a layered
approach to WLAN security as well, said Alex Naveira, its chief
information security officer. In addition to LEAP, the hospital is
using MAC address authentication and 128-bit Secure Sockets Layer
encryption.

Ron Seide, product line manager at Cisco's wireless business unit,
agreed that many organizations need stronger authentication
capabilities than LEAP provides.

He said Cisco recommends that such users install the Protected
Extensible Authentication Protocol (PEAP), which relies on digital
certificates to control network access. PEAP was co-developed by
Cisco, Microsoft Corp. and RSA Security Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.